CVE-2017-8386
Published: 10 May 2017
git-shell in git before 2.4.12, 2.5.x before 2.5.6, 2.6.x before 2.6.7, 2.7.x before 2.7.5, 2.8.x before 2.8.5, 2.9.x before 2.9.4, 2.10.x before 2.10.3, 2.11.x before 2.11.2, and 2.12.x before 2.12.3 might allow remote authenticated users to gain privileges via a repository name that starts with a - (dash) character.
Priority
CVSS 3 base score: 8.8
Status
Package | Release | Status |
---|---|---|
git Launchpad, Ubuntu, Debian |
Upstream |
Released
(1:2.11.0-3)
|
Ubuntu 16.04 LTS (Xenial Xerus) |
Released
(1:2.7.4-0ubuntu1.1)
|
|
Ubuntu 14.04 ESM (Trusty Tahr) |
Does not exist
(trusty was released [1:1.9.1-1ubuntu0.5])
|
|
Patches: Upstream: https://git.kernel.org/pub/scm/git/git.git/commit/?id=3ec804490a265f4c418a321428c12f3f18b7eff5 |
Notes
Author | Note |
---|---|
tyhicks | Per upstream advisory, 1.6.1 is the earliest version affected |
References
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8386
- http://lkml.iu.edu/hypermail/linux/kernel/1705.1/01337.html
- http://lkml.iu.edu/hypermail/linux/kernel/1705.1/01346.html
- https://insinuator.net/2017/05/git-shell-bypass-by-abusing-less-cve-2017-8386/
- https://usn.ubuntu.com/usn/usn-3287-1
- NVD
- Launchpad
- Debian